CVE-2025-64517 is a vulnerability classified under CWE-287 (Improper Authentication) affecting sudo-rs, a Rust-based implementation of the sudo and su utilities. The flaw exists in versions 0.2.5 up to but not including 0.2.10 when the sudo-rs configuration enables 'Defaults targetpw' or 'Defaults rootpw'. These options require the password of the target account (or root) rather than the invoking user for authentication. However, due to a logic error, sudo-rs records the invoking user's UID in the authentication timestamp rather than the authenticated target user's UID. This timestamp is used to bypass subsequent authentication prompts within the same terminal session. Consequently, a user with high privileges who knows the password of one allowed target account can execute commands as any other account permitted by the sudo policy without knowing their passwords. This effectively undermines the security intent of the 'targetpw' and 'rootpw' options, allowing privilege escalation and unauthorized command execution. The vulnerability does not affect versions prior to 0.2.5, as these options were not available, and is fixed in version 0.2.10. The CVSS 3.1 score of 4.4 reflects a local attack vector requiring high privileges but with no confidentiality or availability impact, and no user interaction needed. No public exploits have been reported. The flaw highlights the importance of correct UID tracking in authentication mechanisms to prevent unauthorized access escalation.

For European organizations, this vulnerability poses a risk of unauthorized privilege escalation on systems running affected sudo-rs versions with 'targetpw' or 'rootpw' enabled. Attackers or malicious insiders with elevated sudo privileges and knowledge of one target account password could execute commands as other privileged accounts, including root, bypassing intended authentication controls. This could lead to unauthorized system modifications, lateral movement, and potential compromise of sensitive data or critical infrastructure. The impact is particularly significant in environments with strict access controls relying on target account password verification to segregate privileges. Since sudo-rs is a relatively new implementation, its adoption may be limited but growing in security-conscious organizations valuing Rust's memory safety. European entities in sectors such as finance, government, and critical infrastructure that deploy sudo-rs could face increased risk of insider threats or privilege abuse. The medium CVSS score reflects moderate risk but the potential for serious integrity violations in sensitive environments.

European organizations should immediately audit their systems to identify installations of sudo-rs versions between 0.2.5 and 0.2.9. They must upgrade all affected instances to version 0.2.10 or later, where the authentication timestamp handling bug is fixed. Until upgrades are applied, consider disabling the 'Defaults targetpw' and 'Defaults rootpw' options to prevent reliance on the flawed authentication mechanism. Implement strict sudo policies limiting which users have high privileges and require password authentication. Monitor sudo usage logs for unusual patterns indicating potential abuse of authentication bypass. Employ multi-factor authentication where possible to add an additional layer of verification beyond passwords. Conduct regular security assessments and penetration testing focused on privilege escalation vectors. Finally, maintain awareness of updates from trifectatechfoundation and subscribe to vulnerability advisories to promptly address future issues.